Setting up the security environment by using FMNSECUR

A security exit is provided for security control from within File Manager if you do not use RACF® or equivalent security product, or if SAF is not active at your installation. This exit is called FMNSECUR and is distributed in FMN.SFMNSAM1. You use FMNSECUR to protect selected File Manager functions from unauthorized users.

If you want to use FMNSECUR for security, customize it as described below and install it using the usermod FMNUMODS. For information on installing FMNUMODS, see Installing FMNSECUR using FMNUMODS.

Copy FMNSECUR from FMN.SFMNSAM1 to your own source library and edit it there. By default, in the supplied FMNSECUR, no functions are protected. This means that any user can use any File Manager function unless otherwise specified. You can override this as follows:
  • Give or deny some users (or all users) access to one of the following groups of File Manager functions:
    FILEM.DISK.INPUT
    Disk input functions
    FILEM.DISK.UPDATE
    Disk update functions
    FILEM.TAPE.INPUT
    Tape input functions
    FILEM.TAPE.OUTPUT
    Tape output functions
    FILEM.TAPE.DUPLICATE
    Tape copy functions
    FILEM.TAPE.UPDATE
    Tape update functions
    FILEM.VSAM.UPDATE
    VSAM update functions
    FILEM.OAM.OUTPUT
    OAM output functions
    FILEM.OAM.UPDATE
    OAM update functions
    FILEM.LOADMOD.UPDATE
    Load module update functions
    FILEM.OTHER.ALL
    All other functions
    FILEM.TAPE.BLP
    See Controlling Bypass Label Processing (BLP)
    FILEM.DISK.FULLPACK
    See Controlling fullpack access to DASD volumes

    For more information about these groups, see File Manager function to profile name cross-reference.

  • Give or deny some users (or all users) access to an individual File Manager function.

Controlling access

Three facility groups are provided to allow you to control access to File Manager base function, and to FM/IMS and FM/Db2, from the FM/CICS primary option menu. These groups are:
FILEM.CICS.BASE
Access to the File Manager Base function
FILEM.CICS.IMS
Access to FM/IMS
FILEM.CICS.DB2
Access to FM/Db2

If a user ID running FM/CICS has read access to any of these groups, then the associated function (FM, FM/IMS or FM/Db2) will appear on the FM/CICS primary option menu and the user can invoke these functions, if they are installed.

If you have installed and customized the FM/CICS component, you should review your requirement for this access.

For more information about FM/CICS, see Customizing File Manager CICS Component, and also the File Manager User’s Guide and Reference for CICS.

Protecting update functions

Three facility groups are provided to enable you to protect update functions in the File Manager Base function, FM/Db2, and FM/CICS. They are:
FILEM.BASE.UPDATE
Protect update functions in the File Manager Base component
FILEM.DB2.UPDATE
Protect update functions in FM/CICS
FILEM.CICS.UPDATE
Protect update functions in FM/CICS

(This aspect of security is handled differently for FM/IMS, see IMS subsystems and FM/IMS functions access control facility.)

These facility classes also require the option SEC=YES to be specified in FMN0POPT (for the File Manager Base component), FMN2POPT (for FM/Db2), and FMN3POPT (for FM/CICS). For information about the SEC option, see SEC. For more information about the protected functions, see Unprotected functions and profile names for protected functions. For a list of functions that are protected by this method, see File Manager unprotected functions, Customizing to protect update functions in FM/Db2, and Customizing to protect update functions in FM/CICS.

If you do not specify SEC=YES in your options modules, then no checking of these facility classes is done.

You modify FMNSECUR for your requirements by supplying FMNS macro statements to provide the control you want. Refer to the prolog in the supplied sample FMNSECUR for information about how FMNSECUR processes the FMNS macro statements, and where to insert the statements in the FMNSECUR source. The syntax of the FMNS macro is described in Syntax of the FMNS macro.

Examples of giving or denying access

The following examples show how to use FMNSECUR to give or deny a user access to a group of functions or a specific function.

  • To give a user access to a group of functions (for example, tape output functions), add statements similar to this to FMNSECUR: 
    FMNS CLASS=FACILITY,
     ENTITY=FILEM.TAPE.INPUT,
     ACCESS=READ,
     USERID=userid
    Similarly, to deny a user access to tape output functions, add statements similar to this: 
    FMNS CLASS=FACILITY,
     ENTITY=FILEM.TAPE.INPUT,
     ACCESS=NONE,
     USERID=userid
  • To give a user access to a specific function (for example, the VSAM to Tape function), add statements similar to this: 
    FMNS CLASS=FACILITY,
     ENTITY=FILEM.FUNCTION.VT,
     ACCESS=READ,
     USERID=userid
    Similarly, to deny a user access to the VT function, add statements similar to this: 
    FMNS CLASS=FACILITY,
     ENTITY=FILEM.FUNCTION.VT,
     ACCESS=NONE,
     USERID=userid

When a user tries to use a File Manager function, FMNSECUR is called (once) with both the profile name shown in File Manager function to profile name cross-reference (in the form FILEM.group.name) and the function code. FMNSECUR reads through the list of FMNS macros until a match is found for the user name or job name, and either the profile name or the function code. The first match found is used.

This means that each FMNS macro effectively overrides any FMNS macro that appears after it in the file. If you want FMNSECUR to have the same behaviour as SAF (where function code specifications override profile name specifications), put all of your function code specifications before your profile name specifications.